BaN (.BaN) ransomware virus - removal and decryption options
Written by Tomas Meskauskas on
What kind of malware is BaN?
BaN is ransomware belonging to the Xorist family. This variant has been identified during the examination of samples uploaded to VirusTotal. BaN is created to encrypt files. Additionally, BaN appends the ".BaN" extension to filenames, displays, and creates a ransom note (an error message and the "HOW TO DECRYPT FILES.txt" file).
An example of how files encrypted by BaN are renamed: "1.jpg" is changed to "1.jpg.BaN", "2.png" to "2.png.BaN", etc.
Screenshot of files encrypted by this ransomware:
BaN ransom note overview
The note begins with a statement that all of the victim's files have been encrypted. The primary demand is for the victim to pay 0.03 bitcoins to regain access to their files. The provided Bitcoin address is where the ransom must be sent. After making the payment, the victim is instructed to contact the attacker via banuda@tuta.io or banuda@skiff.com using a specific subject line.
The note promises that once the payment is confirmed, the victim will receive a decryptor and decryption keys to regain access to their files. The note warns against attempting other decryption options, emphasizing that only the keys generated for the victim's server can decrypt the files.
More details about ransomware
It is important to note that paying the ransom does not guarantee the return of the files. Unfortunately, it is rarely possible to decrypt files without the interference of cybercriminals. Looking for third-party decryption tools online or recovering files from backups are typically the only free ways to recover files.
Running a system scan using a reputable security tool and removing ransomware is also important. This prevents ransomware from causing more damage (encrypting more files and spreading over a local network).
Ransomware in general
This malicious form of cyber attack encrypts files, rendering them inaccessible until a ransom is paid to the attackers, often in cryptocurrency. Despite the promise of decryption tools upon payment, victims are not guaranteed to regain access to their data.
Prevention measures, such as regular backups, robust cybersecurity practices, and user awareness, are crucial in mitigating the risks associated with ransomware.
More examples of ransomware variants are Mesmerised, PatchWorkApt, and 3000USDAA.
How did ransomware infect my computer?
Computer infections commonly occur when users install applications (or run files) obtained from untrustworthy origins, such as unofficial websites, P2P networks, third-party downloaders, free file hosting platforms, unofficial app stores, and similar sources.
Another avenue through which computers fall prey to infections involves the exploitation of weaknesses in software or operating systems. Failure to update software leaves users susceptible to cybercriminals who exploit well-known vulnerabilities, gaining entry and injecting malicious software.
Furthermore, systems can be infiltrated by malware through the utilization of pirated software, cracking tools, key generators, and interactions with deceitful advertisements.
Name | BaN virus |
Threat Type | Ransomware, Crypto Virus, Files locker |
Encrypted Files Extension | .BaN |
Ransom Demanding Message | Error message, HOW TO DECRYPT FILES.txt |
Free Decryptor Available? | No |
Ransom Amount | 0.03 BTC |
BTC Wallet | bc1qh9a50kaccf2xjutqhmufgrx2s7ycg8rqajdj6r |
Cyber Criminal Contact | banuda@tuta.io, banuda@skiff.com |
Detection Names | Avast (Win32:Filecoder-M [Trj]), Combo Cleaner (Trojan.Ransom.AIG), ESET-NOD32 (Win32/Filecoder.Q), Kaspersky (Trojan-Ransom.Win32.Xorist.lk), Microsoft (Ransom:Win32/Sorikrypt.A), Full List Of Detections (VirusTotal) |
Symptoms | Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files. |
Additional Information | BaN is part of the Xorist family |
Distribution methods | Infected email attachments (macros), torrent websites, malicious ads. |
Damage | All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection. |
Malware Removal (Windows) | To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
How to protect yourself from ransomware infections?
Exercise caution when downloading software or files by exclusively using trusted sources such as official websites or reputable app stores. Refrain from clicking on suspicious email links or opening attachments from unknown senders. Regularly updating your software and operating system is equally essential.
Also, utilize reputable antivirus and anti-malware software and conduct regular system scans. Practicing safe browsing habits, such as avoiding pirated software, cracking tools, and suspicious advertisements, further reduces the risk of encountering malware and enhances overall computer security.
If your computer is already infected with BaN, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate this ransomware.
Screenshot of BaN's text file ("HOW TO DECRYPT FILES.txt"):
Text in the ransom note (text file and error message):
Hello
All your files have been encrypted
if you want to decrypt them you have to pay me 0.03 bitcoin.Make sure you send the 0.03 bitcoins to this address:
bc1qh9a50kaccf2xjutqhmufgrx2s7ycg8rqajdj6rIf you don't own bitcoin, you can easily buy it from these sites:
www.coinmama.com
www.bitpanda.com
www.localbitcoins.com
www.paxful.comYou can find a larger list here:
hxxps://bitcoin.org/en/exchangesAfter sending the bitcoin, contact me at this email address:
banuda@tuta.io or banuda@skiff.com
with this subject: -
After the payment has been confirmed,
you will get decryptor and decryption keys!You will also receive information on how to defend against another ransomware attack
and the most important thing is your security hole through which we entered.Attention!
Do not try other cheaper decryption options because nobody and nothing can
decrypt your files without the keys generated for your server,
you will lose time, money and your files forever!
Screenshot of BaN's error message:
BaN ransomware removal:
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
{loadposition position31
Frequently Asked Questions (FAQ)
How was my computer hacked and how did hackers encrypt my files?
Cybercriminals use various ways to trick users into infecting computers. Typically, users inadvertently infect systems through actions like downloading from untrustworthy sources, such as unofficial websites or P2P networks, clicking on suspicious email links or attachments, neglecting software updates, using pirated software, or clicking malicious advertisements.
How to open ".BaN" files?
Your files have been encrypted due to a ransomware infection, and to regain file access, a decryption process is necessary.
Where should I look for free decryption tools for BaN ransomware?
In case of a ransomware attack you should check the No More Ransom project website (more information above).
I can pay you a lot of money, can you decrypt files for me?
We do not offer this service. Decrypting files encrypted by ransomware is usually only possible with the intervention of developers or operators unless there is a flaw in the ransomware itself. Therefore, a third party claiming to provide paid decryption will likely act as an intermediary or try to deceive you.
Will Combo Cleaner help me remove BaN ransomware?
Combo Cleaner will thoroughly scan your computer and eradicate any active ransomware infections. Employing an antivirus program is an initial measure in ransomware recovery. However, security software is not capable of decrypting the files that have been encrypted.
▼ Show Discussion